azure-landing-zone-zero-trust

Azure Enterprise Landing Zone Model (Zero Trust)

Azure Enterprise Landing Zone Model (Zero Trust Enhanced)

This diagram illustrates a modernized, Zero Trust-aligned Azure environment, highlighting credential-less identity, defense-in-depth networking, and policy-driven governance.

Billing Account

Top-level financial ownership and cost aggregation.

e.g., Enterprise Agreement or MCA

Microsoft Entra ID Tenant

Central identity provider using modern authentication.

  • Users and Groups Managed via Entra ID, PIM for privileged access.
  • Workload Identities Credential-less identities for automation and applications.
    • -- CI/CD Pipeline (OIDC) --
    • Federated Credentials: Trust Azure DevOps OIDC tokens for deployment, no secrets needed.
    • -- Application Workloads (UAMI) --
    • uami-prod-api-workload: Managed Identity for Prod API access to Key Vault.
    • uami-qa-api-workload: Managed Identity for QA API.

Management Group Hierarchy

Applies inherited Azure Policies and RBAC for governance.

  • Management Group: "Platform"
    Policy: Deny Public IP Creation (Inherited by all subs).
    Policy: Enforce Tagging Taxonomy.
    • Subscription: "Connectivity" Hosts central networking and security infrastructure.
      • Resource Group: "rg-platform-connectivity"
        • Hub VNet: "vnet-hub-weu"
          Region: West Europe
          Central point for traffic, protected by DDoS Plan.
          • AzureFirewallSubnet: Contains Azure Firewall (Standard).
          • GatewaySubnet: For VPN/ExpressRoute (Optional).
          • AzureBastionSubnet: Secure RDP/SSH.
            Mandatory NSG Applied
        • Private DNS Zones Central zones for Private Link (e.g., Key Vault, ACR). Automatically linked by Spokes.
        • DDoS Protection Plan Standard tier, associated with Hub and Spoke VNets.
  • Management Group: "Production"
    Policy: Inherits "Deny Public IP". Additional restrictive policies apply here.
    • Subscription: "Prod Environment" Hosts production workloads. Restricted access via PIM.
      • Resource Group: "rg-prod-app-services"
        • Spoke VNet: "vnet-prod-spoke"
          Region: West Europe
          VNet Peering: To "vnet-hub-weu"
          Route Table (UDR): Forces traffic via Hub Firewall
          DNS: Linked to Hub Private DNS Zones
          Associated with DDoS Plan
          • snet-aks-nodes:For AKS nodes.
            Default NSG Applied
          • snet-private-endpoints:For PEs.
            Default NSG Applied
          • snet-app-gateway:For App Gateway.
            Specific NSG Applied
          • snet-apim:For APIM.
            Specific NSG Applied
        • Application Gateway: "appgw-prod-main" WAF v2 enabled, uses Public IP, routes to internal APIM.
          In "snet-app-gateway".
          Uses SSL Cert from Key Vault via Managed Identity.
        • API Management: "apim-prod-main" Internal mode, exposes APIs from AKS.
          In "snet-apim".
        • AKS Cluster: "aks-prod-main" Integrates with "vnet-prod-spoke" (snet-aks-nodes). Internal LB.
          RBAC: OIDC identity needs Contributor/AKS Cluster Admin role (assigned outside TF).
          AZ: Deployed across Availability Zones.
        • ACR: "acr-prod-main"
          RBAC: OIDC identity needs AcrPush role (assigned outside TF).
          Network: Accessed via Private Endpoint in "snet-private-endpoints".
        • Key Vault: "kv-prod-secrets"
          RBAC: Grant "uami-prod-api-workload" Secrets User role.
          Network: Accessed via Private Endpoint in "snet-private-endpoints".
        • User Assigned Identity: "uami-prod-api-workload" Used by AKS workloads to access Key Vault.
  • Management Group: "Non-Production"
    Policy: Inherits "Deny Public IP". More flexible policies here.
    • Subscription: "QA Environment"
      • Resource Group: "rg-qa-app-services"
        • Spoke VNet: "vnet-qa-spoke"
          Region: West Europe
          Peered to Hub, UDR to Firewall, Linked DNS
          Default NSGs applied, DDoS enabled
        • AKS, ACR, Key Vault...Resources using QA UAMIs and Private Endpoints.
    • Subscription: "Dev Environment"
      • Resource Group: "rg-dev-user-a"
        • Spoke VNet: "vnet-dev-spoke"
          Region: West Europe
          Peered to Hub, UDR to Firewall, Linked DNS
          Default NSGs applied, DDoS enabled

No comments:

Post a Comment